Microsoft’s August Patch Tuesday launch addresses 123 safety points in Microsoft Windows, Office, Exchange (it is again!) and Visual Studio — and sadly, we’ve two zero-days with experiences of energetic exploitation within the wild. Since that is a broad replace, it would require planning and testing earlier than deployment. The first (CVE-2022-34713) happens within the Windows diagnostic instruments and the second (CVE-2022-30134) impacts Microsoft Exchange. Basically, the vacations are over and it is time to concentrate to Microsoft updates once more. We have made “Patch Now” suggestions for Windows, Exchange and Adobe for this month.You can discover extra data on the chance of deploying these Patch Tuesday updates on this infographic.Key testing situationsGiven the massive variety of modifications included on this August patch cycle, I’ve damaged down the testing situations into excessive threat and normal threat teams:High Risk: These are more likely to embrace performance modifications, could deprecate present performance and can doubtless require creating new testing plans:
Service Stack Update: There is a major change to the Microsoft Servicing Stack (SSU). I’ve written a quick explainer that particulars a number of the ways in which Microsoft “updates the update process” and the way its servicing stack has moved to a singular, mixed replace every Patch Tuesday. The modifications included for August would require reboot testing to gather/collate after which parse occasion viewer logs. Microsoft supplied a helpful reference to Windows Boot Manager occasion viewer information present in KB5016061.
Web Printing: Though there don’t look like any practical modifications, Microsoft has up to date how net paperwork (HTML and JPEG) are printed. Basic print testing is required right here. It does not appear like this replace will take down any servers, printer server or in any other case.
The following updates will not be documented as practical modifications, however nonetheless require a full take a look at cycle:
Microsoft FAX: Like printing, we now have to check enterprise FAX companies with every Patch Tuesday replace. This month’s replace is definitely fairly cool; it addresses a vulnerability in junctions, which I’ve not used for the reason that early 2000’s. Here’s a touch: keep away from FAX drivers, and do not use junctions. They have been a cool strategy to handle listing redirect necessities via the registry — and are undoubtedly not wanted in a contemporary desktop.
DirectComposition: This Windows element permits for speedy bitmapping and animations. There was an API replace this month that may require testing for internally developed functions. I am unable to share the precise API modifications, however I recommend you scan your functions (and subsequently take a look at) for any references for IDCompositionDevice3.
Microsoft Office Updates: We advocate a basic “smoke” take a look at for all up to date Microsoft Office merchandise this month. Specifically for Outlook, we advocate testing with a Gmail account after which switching to a Microsoft account; take a look at sending invitations between accounts. This applies to all supported variations of Microsoft Office.
Given the modifications to the SSU, Windows Boot Manager and updates to the Windows kernel (WIN32KY.SYS) this month, it might be price taking a look at some Microsoft testing platforms such because the Microsoft Test Authoring and Execution Framework (TAEF). You should know C++ or C# and you have to the Windows Driver package (WDK). Noting that for every of those testing situations, a handbook shut-down, reboot and restart is recommended, with a give attention to Boot Manager entries within the occasion viewer logs.Known pointsEach month, Microsoft features a listing of recognized points that relate to the working system and platforms which can be included on this replace cycle. This month, there are some actually complicated modifications:
The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading on techniques with the Unified Extensible Firmware Interface (UEFI). The KB5012170 replace provides modules to the DBX in an try to deal with a vulnerability that exists within the safe boot loader course of. Unfortunately, if BitLocker is enabled with the PCR7 binding, this replace could fail. To resolve this problem, use the next command: “Manage-bde –Protectors –Disable C: -RebootCount 1.” Then deploy the replace and reboot.
After putting in KB4493509, gadgets with some Asian language packs put in could obtain the error “0x800f0982 -PSFX_E_MATCHING_COMPONENT_NOT_FOUND”. PSFX is a differential compression mode utilized in lowering the dimensions of Microsoft updates. Microsoft has in all probability revealed essentially the most fascinating replace and deployment and packaging article ever to be included in the midst of a protracted technical article associated to packaging and updates. Given that this problem pertains to how Windows installs feature-level elements, Microsoft recommends reinstalling any language packs. This often solves the issue — although it’s not an official repair.
After putting in this month’s replace on Windows 10 builds, IE mode tabs in Microsoft Edge may cease responding when a web site shows a modal dialog field. Microsoft remains to be engaged on an official repair.
And for the newest launch of Windows 11, it appears as if this month’s replace could result in the utility XPS Viewer behaving badly (utilizing growing processor and reminiscence assets) earlier than closing unexpectedly (i.e. badly). A reboot will remedy the problem till Microsoft posts a repair.Major revisionsThough we’ve fewer “new” patches launched this month, there are a number of up to date and newly launched patches from earlier months:
CVE-2022-26832: NET Framework Denial of Service Vulnerability. This is the fourth replace to this .NET safety repair. First launched in April, all subsequent revisions have associated to updating the merchandise which can be affected by this patch. It seems that each one variations of Windows 10, Windows Server 2016 and with this newest revision, Windows 8 and Server 2012, are affected. If you are utilizing Windows replace (and even Autopatch), no additional motion is required.
CVE-2022-30130: .NET Framework Denial of Service Vulnerability. This revision to May’s replace now consists of protection for Windows 8 and Server 2012. This is barely an informational replace — no additional motion required.
ADV200011: Microsoft Guidance for Addressing Security Feature Bypass in GRUB. This revision pertains to the Linux sub-system boot loader in Windows. For extra data discuss with KB5012170 and the very informative weblog publish, “There is a hole in the boot.”
Mitigations and workarounds
CVE-2022-34715: Windows Network File System Remote Code Execution Vulnerability. Microsoft has provided a set of PowerShell mitigation instructions to scale back the severity of an assault by disabling NFSV4.1 :”PS C:Set-NfsServerConfiguration -EnableNFSV4 $false.” Running this command would require a reboot of the goal system. Microsoft recommends patching these techniques as quickly as doable, even with NFSV4.1 disabled.
CVE-2022-34691: Active Directory Domain Services Elevation of Privilege Vulnerability. Microsoft advises that this vulnerability is relevant if you’re, in truth, truly working Active Directory Certificate Services. If you might be, it’s essential to deploy the Microsoft May 10 replace instantly and allow Audit occasions. Take your time planning and deploying this patch as it might put your server right into a particular compatibility mode. You can learn extra right here KB5014754. You have till May 9, 2023 earlier than Microsoft closes this loophole.
Probably an important workaround this month pertains to Microsoft Outlook crashing and locking up instantly after start-up. Microsoft explains, “When you start Outlook Desktop, it gets past loading profile and processing, briefly opens, and then stops responding,” Microsoft is at present engaged on the problem and we anticipate an replace quickly. Microsoft provided the next workarounds:
Sign out and in Office.
Disable help diagnostics in Outlook with the next registry keys: softwarepoliciesmicrosoftoffice16.0outlookoptionsgeneraldisablesupportdiagnostics, Disabled worth =0
Manually set the e-mail handle to the id of the person that’s seeing the problem within the registry path.
You can discover out extra about Microsoft Diagnostic settings right here. This is a bit embarrassing for Microsoft as that is one other important Office problem following the latest Uber receipt crashing problem. Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next fundamental groupings:
Browsers (Microsoft IE and Edge);
Microsoft Windows (each desktop and server);
Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
And Adobe (retired???, perhaps subsequent yr).
BrowsersMicrosoft launched three updates to its Edge browser (CVE-2022-33636, CVE-2022-33649 and CVE-2022-35796). Following a development, none of those are rated as vital. There have been additionally 17 updates to the Chromium challenge. Google has revealed all these modifications in its replace log. For additional data, discuss with the Chromium safety replace web page. Along with these safety fixes, there have been a couple of new options within the newest secure launch (103) which may be discovered right here. Add these low-profile updates to your normal patch launch schedule.Windows Microsoft addressed 13 vital points and 43 points rated essential this month. This is pretty broad replace that covers the next key Windows options:
Windows Point-to-Point Tunneling Protocol together with RAS;
Kernel Updates (Win32Ok.SYS);
Windows Secure Socket Tunneling Protocol (SSTP);
Windows Print Spooler Components.
In addition to this huge replace, CVE-2022-34713 (Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability) has been reported as each publicly disclosed and exploited within the wild, making this a critical Windows zero-day. This critical Windows safety flaw is a path traversal flaw that attackers can exploit to repeat an executable to the Windows Startup folder when a person opens a specially-crafted file via an e-mail shopper or downloaded from the online. In lighter information, you will discover the newest Windows 11 replace video right here. Add these vital Windows updates to your “Patch Now” launch schedule.Microsoft OfficeMicrosoft launched an out-of-band (OOB) patch (KB5002248) for Microsoft Office 2016 (each 32- and 64-bit) regarding VBA initiatives and Microsoft Access. This month’s launch cycle delivers solely 4 updates, all rated essential. Microsoft Excel, Outlook and some core Microsoft Office libraries are affected, with essentially the most critical resulting in distant code execution situations. Fortunately, all of those safety points have official fixes from Microsoft and are all comparatively tough to take advantage of, notably in a well-managed enterprise surroundings. Add these low-profile updates to your normal launch schedule.Microsoft Exchange ServerUnfortunately we’ve six updates for Microsoft Exchange Server, with three rated vital and the remaining three rated essential. As promised in May, Microsoft has up to date its patching course of to incorporate self-extracting EXE’s. You is not going to discover these newest updates within the Microsoft catalog, so I’ve included a listing of updates out there for the next particular builds of Exchange Server:Given the publicly disclosed vulnerability in Microsoft Exchange (CVE-2022-30134) which permits an attacker to learn focused e-mail messages, Microsoft has beneficial you apply these safety associated fixes instantly (italics added by Microsoft). To get the newest updates, you may additionally should run the Exchange SetupAssist PowerShell script. Your group could already be snug with the brand new replace format, however if you’re unsure concerning the standing of your Exchange servers, you possibly can run the Microsoft CSS Health Checker. My feeling is that some preparation and planning is required to stage these updates. It took me some time simply to stroll via the patching resolution/logic bushes this month, by no means thoughts troubleshooting failed Exchange updates. Add this month’s updates to your “Patch Now” schedule, noting that each one updates this month would require a server reboot.Microsoft improvement platformsMicrosoft launched 5 updates rated as essential for Visual Studio and .NET Core. The .NET vulnerability (CVE-2022-34716) is absolutely robust to take advantage of and relies upon upon efficiently executing a technically difficult blind “external entity” injection (XXE) assault. The remaining Visual Studio vulnerabilities relate to distant code execution (RCE) situations exploited via a neighborhood e-mail shopper (requiring the person to open a specifically crafted file). Add these updates to your normal developer replace schedule.Adobe (actually simply Reader)Who would have thought it? We are again this August with three updates rated vital and 4 as essential for Adobe Reader. APSB22-39 has been revealed by Adobe however not included by Microsoft on this month’s patch cycle. All seven reported vulnerabilities relate to reminiscence leak points and will result in a distant code execution state of affairs (RCE), requiring quick consideration. Add these Adobe updates to your “Patch Now” schedule.
Copyright © 2022 IDG Communications, Inc.